neshta | ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9

Analysis

max time kernel
145s
max time network
151s
platform
windows7_x64
resource
win7-en-20211208
submitted
24-01-2022 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
Size

219KB
MD5

3d57a5f5b5cf01b8ff1867d8a004090f
SHA1

5cc7fc1da338ec10ae1d59b0296697d57cbc21b6
SHA256

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9
SHA512

8a71c0d733738a6e2e3ea1fcb939cff18619a5733866b1ada145af4a14a597f494352a459d2212e2fcd8873da4d68bcdd972fe4de7339625ce8ebb29ebef6253

Score

10^/10

neshta sodinokibi 19 96 persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\ol215ll-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion ol215ll. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8A3362DC28EB2F3A 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/8A3362DC28EB2F3A Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Md00XppC313bRFkPTNxrwcwDuLNuLaM0N/mTGJtBAJVxUdjMaO6kiXP6Sirn19Zy N242YKf90MlCujkjg3mGSkC4jj6pCo7gKjZfN+v4v3hLoL3FtY6TW1fKFbwy3QYB gTIMbxrNNV+9hwfOXI7NnzWRJDIZRYHI4fE1l1/T9978dpkq/sTU5b5wpAzp/9TI Eb7RM0c9U+tf5eP9OE9iAo5l+/1Zr0FUSeYuTnPEqswBc5mVFG49m1VH9GrpdT0n ll5wU3HR/mSWZbndTuPoXMrHHfl9nbsOB0iui4SNMMzrET8tGUF3bsJIbIgv3hrj mZPIRbvsiLnaZVjAa6kfDwdE7CCSVD8dJmOGIv8GsqAjpfxCq/eiSRSYoG1NwcQy zBIETxWWwP0e2vZyy3Gmr5jBGTRiWqAbNZwC2GOi2TcOiQkjwHiJ6y1rbRjfhAm4 DAi+vVj8uT2+AsZNKx/9dWwDkkXiKLPxGpeaqCQ1jVSai9GfgbVH4h61y/3BRLCr wofgWxRKJJc44P30+k7BWzNRCpjEvLBcLd0CmJxrVFysBbfgBVRMYfjcEyzLxppI y0QqrjJcrRrSPWFeopgVWMyYfr4HIHxlpQ0IIPc+SbWQ6WJ0KzusjXaEUHIAg7UP C9tcEmza8fHsfBWE2dhr1adBl7BIsvUHnd/1StLd2puRv9eeY4xDZalU4MlLt6pb xSl0ou1rQlTgrUcLRCjCfQr9wkqLk34Zr9Dq/D/Aacj1o1NWR2I6E57Q3WAP56NU Qk9p9GIRPhyCoWl24OxV2/lGvREIdly83ZVbMGQS8MoedTselbUGlbC0C1GkjH3G OxuOiK31qC7L4bS1wIr1sLG1bI4jz5y1Jeb+M8UQH8WPnYUi/QKddEf2XurRkqXv Z01sdSNmW5bfQqOlXOVFTyRlZJqy/TcQDI7q9Jy2HtEHQHRPt3Z23xTTSW1ctwmT 0ILg58Y33byoXFrMVl3fdElS1vyqHrELR5dC5WJM3ZlK5g9txH2CMMDgBiu5utnO gg6+nUKQhxy3Z8NkysIKQKIpuTY3GnhBYZNmQGRigJ1Z9fW266BdoCQZg27XXVNz dC8vAeljZKnHlIgbRR9AfFYsyuRLmToyemNO+qhfXdOkHrAPxq0HOGkXq/Y+teCZ 5Kw= Extension name: ol215ll ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8A3362DC28EB2F3A

http://decryptor.top/8A3362DC28EB2F3A

Extracted

Family

sodinokibi

Botnet

Campaign

speiserei-hannover.de

delegationhub.com

subyard.com

martha-frets-ceramics.nl

hostastay.com

luvbec.com

dayenne-styling.nl

111firstdelray.com

lidkopingsnytt.nu

fbmagazine.ru

peppergreenfarmcatering.com.au

ya-elka.ru

mundo-pieces-auto.fr

mediabolmong.com

yuanshenghotel.com

fidelitytitleoregon.com

penumbuhrambutkeiskei.com

2020hindsight.info

aslog.fr

teethinadaydentalimplants.com

Attributes

net
true
pid
19
prc
tbirdconfig
onenote
sqlbrowser
firefoxconfig
ocautoupds
ocssd
thebat
winword
mspub
dbeng50
steam
sqlwriter
sqlservr
msftesql
encsvc
infopath
mysqld_nt
sqlagent
mydesktopqos
synctime
wordpad
powerpnt
outlook
dbsnmp
isqlplussvc
ocomm
sqbcoreservice
oracle
thunderbird
xfssvccon
excel
mydesktopservice
msaccess
mysqld_opt
mysqld
agntsvc
thebat64
visio
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
96
svc
veeam
backup
sql
mepocs
sophos
svc$
vss
memtas

Signatures

Detect Neshta Payload 34 IoCs

Processes:

resource	yara_rule
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	family_neshta
\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	family_neshta
\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	family_neshta
C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	family_neshta
\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	family_neshta
\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	family_neshta
\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	family_neshta
\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	family_neshta
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	family_neshta
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	family_neshta
\PROGRA~2\MOZILL~1\MAINTE~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Sodinokibi/Revil sample 5 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3582-490\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe	family_sodinokobi
\Users\Admin\AppData\Local\Temp\3582-490\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe	family_sodinokobi
C:\Users\Admin\AppData\Local\Temp\3582-490\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe	family_sodinokobi
C:\Users\Admin\AppData\Local\Temp\3582-490\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe	family_sodinokobi
\Users\Admin\AppData\Local\Temp\3582-490\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe	family_sodinokobi

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exesvchost.com

pid process

268 ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
284 svchost.com

pid	process
268	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
284	svchost.com

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\PushSuspend.raw => \??\c:\users\admin\pictures\PushSuspend.raw.ol215ll	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\admin\pictures\RepairUnprotect.tiff	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File renamed	C:\Users\Admin\Pictures\RepairUnprotect.tiff => \??\c:\users\admin\pictures\RepairUnprotect.tiff.ol215ll	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File renamed	C:\Users\Admin\Pictures\RevokeReceive.crw => \??\c:\users\admin\pictures\RevokeReceive.crw.ol215ll	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File renamed	C:\Users\Admin\Pictures\SearchWait.crw => \??\c:\users\admin\pictures\SearchWait.crw.ol215ll	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File renamed	C:\Users\Admin\Pictures\StepRegister.crw => \??\c:\users\admin\pictures\StepRegister.crw.ol215ll	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File renamed	C:\Users\Admin\Pictures\SwitchPush.crw => \??\c:\users\admin\pictures\SwitchPush.crw.ol215ll	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File renamed	C:\Users\Admin\Pictures\GetSet.png => \??\c:\users\admin\pictures\GetSet.png.ol215ll	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

Loads dropped DLL 12 IoCs

Processes:

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exeee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exesvchost.com

pid	process
880	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
880	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
268	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
880	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
284	svchost.com
284	svchost.com
284	svchost.com
284	svchost.com
284	svchost.com
284	svchost.com
284	svchost.com
880	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 28 IoCs

Processes:

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\favorites\links\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\public\recorded tv\sample media\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\program files (x86)\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\admin\downloads\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\public\pictures\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\public\music\sample music\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\public\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\public\videos\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\admin\searches\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\public\music\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\public\recorded tv\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\public\pictures\sample pictures\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\admin\favorites\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\admin\links\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\admin\videos\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\admin\music\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\admin\favorites\links for united states\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\public\videos\sample videos\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\admin\contacts\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\admin\pictures\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\admin\saved games\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\public\desktop\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\public\downloads\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\program files\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\admin\documents\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\public\documents\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\users\public\libraries\desktop.ini	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

description	ioc	process
File opened (read-only)	\??\K:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\M:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\N:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\U:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\H:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\J:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\T:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\V:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\Z:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\A:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\F:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\L:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\S:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\W:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\X:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\Y:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\B:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\E:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\G:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\I:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\O:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\P:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\Q:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\R:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened (read-only)	\??\D:	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

Drops file in System32 directory 1 IoCs

Processes:

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cgm.bmp"	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

Drops file in Program Files directory 64 IoCs

Processes:

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exesvchost.comee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	svchost.com
File opened for modification	\??\c:\program files\EnableTrace.pot	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	\??\c:\program files\DismountCheckpoint.wma	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\program files\ConvertAdd.mhtml	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	svchost.com
File opened for modification	\??\c:\program files\WatchSearch.rm	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	svchost.com
File created	\??\c:\program files\ol215ll-readme.txt	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\program files\EnableFind.jtx	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\program files\UnprotectUpdate.xml	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File created	\??\c:\program files (x86)\ol215ll-readme.txt	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\program files\CloseWait.xlsx	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	\??\c:\program files\ReceiveResolve.iso	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	svchost.com

Drops file in Windows directory 3 IoCs

Processes:

svchost.comee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1684 vssadmin.exe

pid	process
1684	vssadmin.exe

Modifies registry class 1 IoCs

Processes:

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\SystemCertificates\CA\Certificates\247106A405B288A46E70A0262717162D0903E734\Blob = 030000000100000014000000247106a405b288a46e70a0262717162d0903e734140000000100000014000000b390a7d8c9af4ecd613c9f7cad5d7f41fd6930ea0400000001000000100000001a9a69a81f6da92d87f7694e16d8b8790f00000001000000300000009e9609372f45b5101548e8af9a20e0dbf5932dea9b9af86759c2029bc3b53e306e6491f6b15bf00b1e2dee3bb8d43d2219000000010000001000000043e6fa09a3b9d0de6fbe3aacd184c8fd180000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000ed050000308205e9308203d1a003020102021005e4dc3b9438ab3b8597cba6a19850e3300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3134303931323030303030305a170d3234303931313233353935395a305f310b3009060355040613024652310e300c060355040813055061726973310e300c060355040713055061726973310e300c060355040a130547616e64693120301e0603550403131747616e6469205374616e646172642053534c204341203230820122300d06092a864886f70d01010105000382010f003082010a028201010094042da6799574ffd5003cf5aed894b1297cc08f0b0b89b98283976e3728f5a21acfd2920b9ba8d387947384109fdc35cbc22d92ac21b9cb3bfc40c1c18321f0bff8f69cfa9c8210c0d08e4ee50d4cb0915c90b4a4405116dae484122d055ca11f17192451aa7aeae1071b868d0172f2e7d48323399ee0e14c1f6b22a3b41066b0ed8296d76e6ab4f23fb542fcdd8ab5abba2d1d3a759b31dc3e9dac5bd3410d6cb01bf53af579ea21a2f8f433524b242d1ea499b16d48bcb812fe72707cf7fb0275f48dded6dac0a0321a52df386b2e45383f3f049600fda1f4a2bbd517d6277c1b5859955e8a12fd9cab813e52284851856bf391b2863f29b56e0362eed6050203010001a382017530820171301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e04160414b390a7d8c9af4ecd613c9f7cad5d7f41fd6930ea300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230220603551d20041b3019300d060b2b06010401b2310102021a3008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820201005867fd72b26ad77c6196197ed94346d1267dc853fa66b06b2da7d3aa56f73a88d03b72c950fdf759b2aa68f58c7303bb956517ce2f1cdd9813a291c9eea1406e3c98d65cf3b2223c2dee1ba4e1de202416f28c1173913af6face240287ca93ecb4b6c81617c572fc2740f613fe93a69d51ef3c2bd877579b8c653a352536b7b58a636f072793b1608d80db96d47a8f2dab1c88c96e7ed6651faf5dca163f2846dca035e5f9e9e5d596880c4fc6b77767488427b61fb068dbacbf77b090b8a2c91c325d02ba2543814247bbd8e18f0c0c465fee46336b031482d37ecd8faf90d68e247d4042b46a6a17c69597e1f238cda7edb4274093df72a9b8c666633738642230a23bf1b9c87bc8fb293aab1a72d206124ef682d4236f3ec393e5d8b6c0dedc2316d61330b7a09a0e2c5506007001cfea391d80db88f7a520b85bfd3126698f2d0a61833a47a613542c1ee3ed44cabc6a1f280e51d9de0e9f75cd0e0395caf9c5a92a2dfe41a4a147ae0dc2f93966334a5be18428596c7d941776e44582ad7020fdd26f63a8d7faa033fa37cbf7b2659eda506f3fe4a7f38e5d58329770232ee7fdc4159b9c278f32ed17ad58813129111a9bd4fc6c9528c74e0507a6fd1dbc19e2e8b7b9118a2d701252858d8c334a0ffc9992e06370daa594476307e758c7315f053d3655fe83b2e8a6add7e9e6027488745cda34db90d26d510a23d623	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\SystemCertificates\CA\Certificates\247106A405B288A46E70A0262717162D0903E734	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

pid process

268 ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1556 vssvc.exe
Token: SeRestorePrivilege 1556 vssvc.exe
Token: SeAuditPrivilege 1556 vssvc.exe

pid	process
268	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

description	pid	process
Token: SeBackupPrivilege	1556	vssvc.exe
Token: SeRestorePrivilege	1556	vssvc.exe
Token: SeAuditPrivilege	1556	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exeee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exesvchost.comcmd.exe

description	pid	process	target process
PID 880 wrote to memory of 268	880	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
PID 880 wrote to memory of 268	880	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
PID 880 wrote to memory of 268	880	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
PID 880 wrote to memory of 268	880	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
PID 268 wrote to memory of 284	268	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe	svchost.com
PID 268 wrote to memory of 284	268	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe	svchost.com
PID 268 wrote to memory of 284	268	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe	svchost.com
PID 268 wrote to memory of 284	268	ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe	svchost.com
PID 284 wrote to memory of 2032	284	svchost.com	cmd.exe
PID 284 wrote to memory of 2032	284	svchost.com	cmd.exe
PID 284 wrote to memory of 2032	284	svchost.com	cmd.exe
PID 284 wrote to memory of 2032	284	svchost.com	cmd.exe
PID 2032 wrote to memory of 1684	2032	cmd.exe	vssadmin.exe
PID 2032 wrote to memory of 1684	2032	cmd.exe	vssadmin.exe
PID 2032 wrote to memory of 1684	2032	cmd.exe	vssadmin.exe
PID 2032 wrote to memory of 1684	2032	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
"C:\Users\Admin\AppData\Local\Temp\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Local\Temp\3582-490\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe"
2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
5⤵
- Interacts with shadow copies
PID:1684

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:668

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Deletion

T1107

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe
MD5
3ec4922dbca2d07815cf28144193ded9

SHA1
75cda36469743fbc292da2684e76a26473f04a6d

SHA256
0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801

SHA512
956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe
MD5
e1833678885f02b5e3cf1b3953456557

SHA1
c197e763500002bc76a8d503933f1f6082a8507a

SHA256
bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14

SHA512
fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe
MD5
034978c5262186b14fd7a2892e30b1cf

SHA1
237397dd3b97c762522542c57c85c3ff96646ba8

SHA256
159776d43dd2a8d843b82ece0faf469f9088a625d474ce4eea9db59d94a844e6

SHA512
d216e757616121d9902b0db2669b6e2aa9eb2697427c9ea2804ebda9690abbf9219c6e603d63ff19dc6115a072985ca862499b5f8319ca057a16e81aec9ea949

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE
MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE
MD5
a8dadf93b223cb3c075204b0bd38c9c6

SHA1
41c4cf4e60dd6b2b3a09085af3f62f21914eba5b

SHA256
0b9faeceb83cfb2cbb2b04a5dc719288355ad3a221f4b413bc1a1d1bc5e335e0

SHA512
5d750b4ea23292859dda58dc81b82f234f00d0968f088e38353dd574caa43b4bd2f954750eb5135a20a8e934c7c12bd13c9badb653afc9483594b5f877c97031

Download Submit
C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE
MD5
b19c2fa49e278935e6a3087fdd0da46e

SHA1
04a5de16b6840a8fe68753028bd2ff20381ed720

SHA256
c70151fc7fb7d461ba596455bfc7e79e199a3c0ac766c5d67f9347b39e20b7b9

SHA512
0399a45ee6a87d5899020d4106bc6ff521285b34c61afcd4929b6274166f7585c01749a1ee1814e82c90a5d8deb1dfa28bde6b105029f74d33f7a3e848d0dc39

Download Submit
C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE
MD5
8acc19705a625e2d4fa8b65214d7070a

SHA1
ad16e49369c76c6826a18d136bf9618e8e99ec12

SHA256
3fb179a3ae88a3d14db48de29d4b9d43243b80b2118b578b8117ad776ce47f12

SHA512
92e22275194b5a73d825e1e7ad5a5cb5649d3679f545f88328aa72e39c161c4d797b7b3462e590edf546ddbd53c1508a49056f50fa63b113134e1bdc7d977dec

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE
MD5
7a4edc8fb7114d0ea3fdce1ea05b0d81

SHA1
02ecc30dbfab67b623530ec04220f87b312b9f6b

SHA256
ff16fdc703e55ddfe5ee867f343f3b20b496e7199c6c4b646335a01026f74550

SHA512
39519685b1dd872008abfa967f79fd3b7a5e6f6ee1b9c3de891aae64490b2d0feb56bcd3f5dab4527d2c6d07646db5966028df153f38a1c09ee88a1ba9a1ef44

Download Submit
C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE
MD5
08ee3d1a6a5ed48057783b0771abbbea

SHA1
ebf911c5899f611b490e2792695924df1c69117d

SHA256
3f6decd82b72a5ba1ee224b52d9fbd6486be22a0b855e28eaad47ae92df266f0

SHA512
1711d023c60d4b047d553a654797bc3a2eecd951b310698c1a2c549e136c33f55e0fc1167a4a38f793b7796f7cfc3fb30017935127b147a21da2812eb38faac5

Download Submit
C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE
MD5
2d1b4a44f1f9046d9d28e7e70253b31d

SHA1
6ab152d17c2e8a169956f3a61ea13460d495d55e

SHA256
d1d73220342ff51a1514d2354654c6fcaedc9a963cb3e0a7e5b0858cfc5c5c7d

SHA512
dd8f5e343417a3e131b3362f1aecaf9ce0f8a55c9f90aa3b7e55b6ddb6c5f4e06b3e76a7f4481fa13e2f325ab2490553f6977178acf7c486c7315755c05fc7c3

Download Submit
C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE
MD5
525f8201ec895d5d6bb2a7d344efa683

SHA1
a87dae5b06e86025abc91245809bcb81eb9aacf9

SHA256
39a089d363b15c37cca9f747a17e89ad1dbe0bc86ff23466526beaa5e36d6d4b

SHA512
f0a2070f11eb3f0bdf996ada42becc7710aab76e84268e5cdbbd9ecbf13ef5fb85b52b6227711137a9c511f8d731b018530cbf1935f8fcfd61ff2ef6c1348d63

Download Submit
C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE
MD5
61631e66dbe2694a93e5dc936dd273be

SHA1
b1838b8ca92fa5ca89e1108ceb2630a6ecd2b8c2

SHA256
5811b7b694d99c703b4c4bc72d6b7d846d05b2b0f45a7e3e4279cdb6fd81265f

SHA512
323463c267ccdb701d5967198f4f72158056f5a6e889c47bf19d1a670233ab071a5fe8c108430beb67753b77af1c59028007101a8e1266618fe91fa0127b4dcf

Download Submit
C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE
MD5
9b1c9f74ac985eab6f8e5b27441a757b

SHA1
9a2cf7d2518c5f5db405e5bd8d37bf62dcaf34f5

SHA256
2a189b995a7283b503bb5864dd9ca57976b3812a6a34aaf89a7551336c43bc24

SHA512
d72e83aeaf1d34627a6c6aa469821af8a8d464a72c764fbb064484adea509a8c1d3628e2166859286e84daae8ebdf4f800693ce203984a8c313b1f2263e101c4

Download Submit
C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE
MD5
5ae9c0c497949584ffa06f028a6605ab

SHA1
eb24dbd3c8952ee20411691326d650f98d24e992

SHA256
07dd9364be7babc5f9a08f0ccd828a9a55137845df1782b147f12943f234ea4e

SHA512
2e99bb500c281c367cc54fa283905b2537905ea4fe8986f676adbb1aaf58460dd2db082bb46a3dbe9dc836fbae3ee8832990839432dd99c74de58cc9b9295788

Download Submit
C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE
MD5
fc87e701e7aab07cd97897512ab33660

SHA1
65dcd8e5715f2e4973fb6b271ffcb4af9cefae53

SHA256
bb1814297615d6b22fa20ee4f8613c8bc9fa67d93cb7fe032f46f377569e2f46

SHA512
b03e3b3f7b0f11b85757d8bf5678542f4281407e95cf8e074da4ddc421c217fcfaf23cc927ccd0bbca2891a424b2d3565072aba6406dc46c2fa1fdba7a249eec

Download Submit
C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE
MD5
93766da984541820057ae0ab3d578928

SHA1
ea19a657c6b1b5eb5accc09c45dcf04f063151c3

SHA256
ad3a9f7beaaea0bc49a7ccba83198cfb2882d462441203684076695b0ef6c514

SHA512
e14c86e13ab79fa9b9eb1a05d69764d522c4acfab7742c200080b215bb3bc31ec7f3dd2abf44cbc996d2e58a0ca1990b18ab055b232b243fe61b5fb018a9b719

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE
MD5
f2056a3543ba9b6b6dde4346614b7f82

SHA1
139129616c3a9025a5cb16f9ad69018246bd9e2d

SHA256
2bab7d64d5327ca21ffd13df88b30431d0b8c0dd6cad8f4bb4db33eeb2b37d1e

SHA512
e11d1c65e046a0a6817cec4d17df1b7f5849fdb5b95527fdef78f0c433294fd2186037116a581ec3a66b07f1ab75cd8e60e408005cd64bc5eacc61a582da0942

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE
MD5
e7d2d4bedb99f13e7be8338171e56dbf

SHA1
8dafd75ae2c13d99e5ef8c0e9362a445536c31b5

SHA256
c8ef54853df3a3b64aa4b1ecfb91615d616c7ff998589e5a3434118611ad2a24

SHA512
2017dea799cc03b02a17e3616fb6fbe8c86ab2450b1aaf147fce1e67cc472ded12befd686d395386ffdaa992145996eb421d61d3a922cea45e94ac40eef76adc

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
MD5
f6636e7fd493f59a5511f08894bba153

SHA1
3618061817fdf1155acc0c99b7639b30e3b6936c

SHA256
61720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33

SHA512
bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
MD5
3e8de969e12cd5e6292489a12a9834b6

SHA1
285b89585a09ead4affa32ecaaa842bc51d53ad5

SHA256
7a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf

SHA512
b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE
MD5
a49eb5f2ad98fffade88c1d337854f89

SHA1
2cc197bcf3625751f7e714ac1caf8e554d0be3b1

SHA256
99da2b7f53a43e0bc01bb52715a37fa87c7f328b4dfac747d7a152ea22e88449

SHA512
4649049a63ce1dfafb632a5b396181bf7fce6364a548660483722329eea13ec0f7df7d7a5c3104e97a1c0f201597fd27d6a1435942a1c1573db2706733aae593

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
MD5
d0190f94e6d05104977c53b55dbc2911

SHA1
c0ff002b0e26b180a741c3cefff15190df7746cc

SHA256
f4e5d7a95681d920dda75fe5dd89be249905e2a7712f9b3b39e19351f5ef5e69

SHA512
d4b1cc032f9d8254ac6035c27948147d8c4c5f60be51e632ba26c6e34ada87515b3113b4bd1cec3cedfa1a73c465a1267681ca05356d8f2f08d81c4fef04d868

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
MD5
d0190f94e6d05104977c53b55dbc2911

SHA1
c0ff002b0e26b180a741c3cefff15190df7746cc

SHA256
f4e5d7a95681d920dda75fe5dd89be249905e2a7712f9b3b39e19351f5ef5e69

SHA512
d4b1cc032f9d8254ac6035c27948147d8c4c5f60be51e632ba26c6e34ada87515b3113b4bd1cec3cedfa1a73c465a1267681ca05356d8f2f08d81c4fef04d868

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com
MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe
MD5
e1833678885f02b5e3cf1b3953456557

SHA1
c197e763500002bc76a8d503933f1f6082a8507a

SHA256
bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14

SHA512
fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe
MD5
034978c5262186b14fd7a2892e30b1cf

SHA1
237397dd3b97c762522542c57c85c3ff96646ba8

SHA256
159776d43dd2a8d843b82ece0faf469f9088a625d474ce4eea9db59d94a844e6

SHA512
d216e757616121d9902b0db2669b6e2aa9eb2697427c9ea2804ebda9690abbf9219c6e603d63ff19dc6115a072985ca862499b5f8319ca057a16e81aec9ea949

Download Submit
\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE
MD5
08ee3d1a6a5ed48057783b0771abbbea

SHA1
ebf911c5899f611b490e2792695924df1c69117d

SHA256
3f6decd82b72a5ba1ee224b52d9fbd6486be22a0b855e28eaad47ae92df266f0

SHA512
1711d023c60d4b047d553a654797bc3a2eecd951b310698c1a2c549e136c33f55e0fc1167a4a38f793b7796f7cfc3fb30017935127b147a21da2812eb38faac5

Download Submit
\PROGRA~2\MICROS~1\Office14\PPTICO.EXE
MD5
525f8201ec895d5d6bb2a7d344efa683

SHA1
a87dae5b06e86025abc91245809bcb81eb9aacf9

SHA256
39a089d363b15c37cca9f747a17e89ad1dbe0bc86ff23466526beaa5e36d6d4b

SHA512
f0a2070f11eb3f0bdf996ada42becc7710aab76e84268e5cdbbd9ecbf13ef5fb85b52b6227711137a9c511f8d731b018530cbf1935f8fcfd61ff2ef6c1348d63

Download Submit
\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE
MD5
9b1c9f74ac985eab6f8e5b27441a757b

SHA1
9a2cf7d2518c5f5db405e5bd8d37bf62dcaf34f5

SHA256
2a189b995a7283b503bb5864dd9ca57976b3812a6a34aaf89a7551336c43bc24

SHA512
d72e83aeaf1d34627a6c6aa469821af8a8d464a72c764fbb064484adea509a8c1d3628e2166859286e84daae8ebdf4f800693ce203984a8c313b1f2263e101c4

Download Submit
\PROGRA~2\MICROS~1\Office14\XLICONS.EXE
MD5
93766da984541820057ae0ab3d578928

SHA1
ea19a657c6b1b5eb5accc09c45dcf04f063151c3

SHA256
ad3a9f7beaaea0bc49a7ccba83198cfb2882d462441203684076695b0ef6c514

SHA512
e14c86e13ab79fa9b9eb1a05d69764d522c4acfab7742c200080b215bb3bc31ec7f3dd2abf44cbc996d2e58a0ca1990b18ab055b232b243fe61b5fb018a9b719

Download Submit
\PROGRA~2\MOZILL~1\MAINTE~1.EXE
MD5
f2056a3543ba9b6b6dde4346614b7f82

SHA1
139129616c3a9025a5cb16f9ad69018246bd9e2d

SHA256
2bab7d64d5327ca21ffd13df88b30431d0b8c0dd6cad8f4bb4db33eeb2b37d1e

SHA512
e11d1c65e046a0a6817cec4d17df1b7f5849fdb5b95527fdef78f0c433294fd2186037116a581ec3a66b07f1ab75cd8e60e408005cd64bc5eacc61a582da0942

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
MD5
d0190f94e6d05104977c53b55dbc2911

SHA1
c0ff002b0e26b180a741c3cefff15190df7746cc

SHA256
f4e5d7a95681d920dda75fe5dd89be249905e2a7712f9b3b39e19351f5ef5e69

SHA512
d4b1cc032f9d8254ac6035c27948147d8c4c5f60be51e632ba26c6e34ada87515b3113b4bd1cec3cedfa1a73c465a1267681ca05356d8f2f08d81c4fef04d868

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
MD5
d0190f94e6d05104977c53b55dbc2911

SHA1
c0ff002b0e26b180a741c3cefff15190df7746cc

SHA256
f4e5d7a95681d920dda75fe5dd89be249905e2a7712f9b3b39e19351f5ef5e69

SHA512
d4b1cc032f9d8254ac6035c27948147d8c4c5f60be51e632ba26c6e34ada87515b3113b4bd1cec3cedfa1a73c465a1267681ca05356d8f2f08d81c4fef04d868

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
MD5
d0190f94e6d05104977c53b55dbc2911

SHA1
c0ff002b0e26b180a741c3cefff15190df7746cc

SHA256
f4e5d7a95681d920dda75fe5dd89be249905e2a7712f9b3b39e19351f5ef5e69

SHA512
d4b1cc032f9d8254ac6035c27948147d8c4c5f60be51e632ba26c6e34ada87515b3113b4bd1cec3cedfa1a73c465a1267681ca05356d8f2f08d81c4fef04d868

Download Submit
memory/880-55-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download